Continuous Monitoring Continuous Auditing Organizational Readiness What Needs

Continuous Monitoring Continuous Auditing Organizational Readiness What Needs To Be Done Making It Happen Clyde Rogers clyde. rogers@sympatico. ca 1

Research & Information Sources n Professional Experience – Senior Director, Continuous Auditing at Major Bank n Industry – Barclay’s, RBS, Wells Fargo, Citigroup, RBC, Fleet n Organizations – IIA & ADR n External Firms – Deloitte, KPMG, E&Y n Academic – Centre for Continuous Auditing – Rutgers, U of Waterloo 2

Guiding Principles - Mindset n Improve Efficiency and/or Effectiveness – Needs to Business Case, Be Important, $’s, Benefits n COSO/COCO Frameworks, Enterprise Wide Risk Management, Control Self. Assessment n Changing Regulatory Requirements – SOX, Basel n Partner with Client & Governance Groups n Validate - Cross Organization Roles & Responsibilities & Acceptance 3

Guiding Principles – Mindset n Client Monitors & Manages Risk and Compliance n Audit Gets Assurance From Client & Partner Processes as well as Independent Testing n Information Technology is an Enabler – Larger Than That n Staged and Incremental Implementation – Business Line & Phases 4

Success Drivers n Promoted/Championed by Senior Executive – Chief Auditor & Business Line Executive n Focus On a “Quick Win” – Business Line Readiness – Operating Models n Business Line Buy-In also Influences Governance and Support Groups n Leverage/Benchmark to Industry & Non. Industry Leaders and Best Practices 5

CM – CA Model/Processes Whistle Staffing Operational Blower Losses Issues Advisory Support Lines Early Key Performance Warning Systems Risk Teams Continuous Auditing Warehouse External/ Regulatory NIAP Traditional Auditing Risk and Frequency Model No Action Strong or Satisfactory Suggested Action Requires As scheduled Prior Audit Results Proceed with audit Improvement Quarterly Audit Planning and Reporting Operational Risk Inherent Risk Accelerate audit activity Unsatisfactory 6

Business Line Profile n Standard Operating Environment – 1, 000 locations – National – 4 Segmented Client Offers n Confusion/Duplication Between Functions in Roles & Responsibilities – 4 Major Risk Teams n Quick Win – Risk Teams – Duplication & Costs n Conflicting Reporting to Clients & Stakeholders 7

Benefits – Phase I – Risk Teams n n Align Risk Teams Coverage to Meet the Needs of all Groups – 1 Group – Audit Leverages (QA) Roles & Responsibilities Defined and Aligned to Changing and Emerging Regulatory Requirements – SOX, Basel Improve Effectiveness & Efficiency – Less Branch Disruption – Also $2 million Savings Move to Continuous Monitoring/Auditing Model – Foundational to Phase II – Further Benefits 8

Q 2 2005 Phase I Q 1 2006 SOX Q 1 2005 Basel SOX W/M On-site testing Reduced On-site Testing Through: Compliance • Inventorying current on-site testing activities W/M • Changing/adding/deleting tested activities • Identifying duplication Internal Audit Basel Compliance • Migrating duplicated testing to FRS • Eliminating migrated testing from groups Internal Audit • Developing process to audit FRS • Focusing on routine activities Business Risk • Processes review with product groups Business Risk 9

Benefits – Phase II - EWS n n n Leverage Information Technology - Consists of Data Mining and Analytics Whole Portfolios – Holistic View – Real Time Additional Efficiencies - $5 million Major Step Towards Continuous Monitoring/Auditing Model Monitoring Capability Enhanced: - Reduces Onsite Testing - Risk Indicators/Trends To Support On-site Testing - Improves Earlier Identification – More Predictive 10

Q 1 ‘ 07 Phase II SOX Basel On-site testing W/M Compliance SOX Reduced On-site Testing Through: • Develop central monitoring capability Internal Audit Business Risk • Enhanced technology platform • Leverage existing knowledge (NRM/EWS/CRS) Basel W/M Compliance Internal Audit/Basel • Central monitoring for select activities • Further on-site testing eliminated • Majority of on-site testing migrated to FRS Business Risk 11

12